Skip to content

fix(ci): install pip into the uv venv so pip-audit can introspect it#120

Merged
TexasCoding merged 1 commit into
mainfrom
fix/pip-audit-missing-pip
May 17, 2026
Merged

fix(ci): install pip into the uv venv so pip-audit can introspect it#120
TexasCoding merged 1 commit into
mainfrom
fix/pip-audit-missing-pip

Conversation

@TexasCoding

Copy link
Copy Markdown
Owner

Summary

First post-merge pip-audit run on main failed:

/home/runner/work/kalshi-python-sdk/kalshi-python-sdk/.venv/bin/python: No module named pip

uv sync creates a venv without pip (uv has its own resolver), but pip-audit shells out to pip to enumerate installed packages. Added uv pip install pip after the sync to seed it.

Kept continue-on-error: true on the audit job (non-blocking by design until the noise floor is established).

Failing run: https://github.com/TexasCoding/kalshi-python-sdk/actions/runs/25990783709

Test plan

  • YAML parses cleanly
  • First post-merge run on main completes without the "No module named pip" error

First post-merge pip-audit run failed with:

    /home/runner/.../.venv/bin/python: No module named pip

uv sync creates a venv without pip (uv has its own resolver), but
pip-audit shells out to pip to enumerate installed packages. Adding
`uv pip install pip` after the sync seeds it.

Confirmed `continue-on-error: true` does mark the job as failed even
though it doesn't gate the workflow — leaving that intact since the
intent is "surface CVEs visibly, not block."

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@claude

claude Bot commented May 17, 2026

Copy link
Copy Markdown

Code Review

Overall: LGTM — correct, minimal, well-explained fix.

What this does

uv sync deliberately omits pip from the venv (uv has its own resolver). The pypa/gh-action-pip-audit action shells out to pip when given a virtual-environment input, so the job crashed with No module named pip. Adding uv pip install pip seeds just enough for the action to introspect the installed packages.


Strengths

  • Surgical change. Only the broken step is touched — nothing else in the workflow was disturbed.
  • Comment is warranted. uv pip install pip is exactly the kind of line that would stop a future reader cold. Per the project's conventions, a comment is appropriate when the WHY is non-obvious. The inline block is concise and accurate.
  • SHA-pinned actions remain intact. The existing actions/checkout, setup-uv, and gh-action-pip-audit pins are untouched, consistent with the Security: pin claude.yml and claude-code-review.yml actions to SHA #93 precedent.
  • continue-on-error: true preserved. Correct — this job is still non-blocking.

One Alternative Worth Knowing

A slightly more uv-idiomatic approach would be to export a requirements file and pass it directly to the action instead of installing pip:

- name: Export lockfile for audit
  run: uv export --format=requirements-txt --no-dev > requirements-audit.txt

- name: Run pip-audit
  uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266  # v1.1.0
  with:
    inputs: requirements-audit.txt

This avoids the pip install entirely and audits the locked deps rather than the installed environment. The tradeoff: it audits the lockfile, not the realized venv, so any install-time resolution differences would be missed. For this project's use case that's a negligible difference.

Not a blocker — the current approach is simpler and correct. Just flagging it for future consideration.


Minor Notes

  • uv pip install pip will pull the latest pip on every run. That's fine and arguably desirable (pip itself gets CVE fixes), but if pinning becomes a concern later, uv pip install "pip>=X" is easy to add.
  • Test plan item Auth path percent-encoding canonicalization #2 (no No module named pip on first post-merge run) is the real validation — nothing more to verify pre-merge for a CI config fix.

Ready to merge once CI passes.

@TexasCoding TexasCoding merged commit f07ff87 into main May 17, 2026
4 checks passed
@TexasCoding TexasCoding deleted the fix/pip-audit-missing-pip branch May 17, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant